Software applications are growing in size and complexity increasing the scope and difficulty of detecting undesired defects. The problem may be particularly acute with large commercial software development because the development team may be under constant pressure to deliver new code features and changes, sometimes multiple times a day.
With the advent of Test-Driven Development, some of the defects may be caught early. However, existing tests are focused on testing functional requirements as opposed to testing for robustness against security defects and attacks. This may expose an organizations to security vulnerabilities that could result in very serious risk, as well as compliance issues.
Static application security testing (SAST) is a scalable approach that reviews the code from the moment the developer writes the code in the Integrated Development Environment (IDE) or commits it to the CI (continuous integration) tool, providing early feedback that is key to reducing code's vulnerabilities early in the software lifecycle.
However, current SAST solutions focus simply on reporting code issues. Current SAST solutions do not provide intelligent recommendations about prioritizing remediation efforts.
The present invention is aimed at one or more of the problems identified above.